Digital Identity is fundamental for digital interactions, the very basis of originating legitimate transaction by and between entities and maintaining the uniqueness to identify ( Read, Authenticate) and Authorize the usage or access, to put it in a nut shell. There are multiple tools and techniques deployed for digital identity management mechanisms at almost each layer of the famous OSI model via UserID, DeviceID, TransactionID and/or SessionID etc. and yet keeps emerging to keep in-line with today’s fast changing paradigm of distributed systems and device based communication.
Need for efficient and effective digital identity
The essential need for digital identity management revolves around single source of truth across all environments, application processes/sessions, networks, devices and corelations between them as a unique identifier fulfilling the purpose to identify each user, device and session/transaction to maintain trust relationships thereof for secure, repetitive and efficient digital interactions. Essentially, The digital identity management system should objectively enable digital transactions to be completed securely, conveniently and effectively. The key drivers for digital identity management needs are..
- Increasing transaction volumes The number of identity‐dependent transactions is growing through increased use of the digital channel and increasing connectivity between entities and digital assets.
- Increasing transaction complexity explosion of digital transactions increasingly involve very disparate entities without previously established relationships (e.g., customers and businesses, devices etc ) transacting cross‐border via connected devices, applications via distributed endpoints / gateways.
- Stringent regulatory requirements Governments and Regulators are demanding increased transparency around digital transactions, meaning that all involved digital entities require greater granularity and accuracy in the identity information that they capture and are increasingly being held liable for inaccurate or missing identity information or compromises thereof.
- Increasing impact of financial loss or reputational damage due to bad actors in digital universe using sophisticated technologies and tools to conduct illicit activities to cause financial and reputational damage by exploiting weak digital identity management or illegitimate access to digital assets.
- Rising user expectations for seamless, secure and omni‐channel digital service delivery else migrating out to more secure options / services that offer the best customer experience without compromising personal data privacy and protection needs.
Building blocks of digital identity ecosystem..
The applicability of the trusted identities involve privileges as to what actions or activities are allowed for given identity within the given ecosystem and how the identity can federate with other elements and for how long. For example a typical payment transaction will authorize the user with his banking system and allow set of actions he is entitles for till he remains connected, once he ‘logs out’ the said privileges are revoked and user will need to be re-established his authenticity via users login process asking for user credentials ( password, OTP or biometric etc) to establish the ‘authenticated sessions’ to securely carry out transactions. Let us decipher each of the stage in this example to help understand what’s involved and how it happens.
- User Identity – typically unique user ID granted to user while registration process of the bank, this ensures user is validated via eKYC process and has an account associated with his ID. This stage is Registration / Provisioning of identity.
- User Credentials – typically identifiers associated with unique user ID and used for validation each time user is interacting with the banking applications, this involves userID, password, biometric, OTP, DeviceID ( for devices used by the users to interact with digital banking entities) etc to help banking application authorize the user to get connected and populate his entitlements or services etc as privileges. This stage is Authentication of identity.
- User Entitlements & Attributes are essential part of digital identity management process that enables authorizations of service entitlements for user after his credentials are validated and associated access to set of digital services within the banking system is granted. At this stage user is fully authenticated and authorized to perform set of actions or initiate transactions with the banking application exosystem. This stage is Pre-authorization / Verification of identity and access management.
- User Actions / Transaction Enablement – This step makes it bit granular when system generate tokens to facilitate access to core system components and initiate transaction sessions by and between banking system modules and/or third party entities encapsulating user credentials to safeguard the privacy yet maintain trust. Further, is assigns unique transaction IDs based on the user actions (payment transfers etc) mapped to the user account and banking records. This is the Authorization stage to perform transactions using identity and the access grant.
Further building upon this thought process, This interactive process can be generalized to all digital transactions for Authentication and Authorization of user identities and the Attributes / entitlements thereof. With emergence of machine to machine / IOT (Read, Internet of things) communication. Similar approach is adopted for unique DeviceID, all the stages and elements described below are important aspects of identity management life cycle and governance framework. It is to be understood that DeviceID can be used to seldomly identify devices used by the user or two devices interacting with each other without human intervention ( IoT / M2M cases), in both scenarios applicability of the following concepts remain relevant albeit process and techniques used would differ and depends on the usecase deployment.
Authentication – is simply the process of verifying the digital identity, given its credentials in case of known or pre-registered identity, There are multiple techniques used for authentication starting from simple username, password or PIN combinations or using external identity federation services such as SSO ( Read, Single Sign On) or MFA (Read, Multi-factor Authentication) etc and goes further up the value chain of OSI layers at transaction level Sessions and Token grants or using digital signatures / certificates to verify the credentials or users or websites etc.
There are multiple idp’s ( Read, Identity Providers ) as an example who provide federated digital identities for users who subscribe to share digital IDs with the trusted partners. It’s just an authentication-sharing exosystem that allows users to use their user name, password or other ID seamlessly across multiple entities to gain access to more than one trusted partner of the ecosystem running under the same identity provider. Federated Authentication is the most adopted third party authentication in digital identity enablement in today’s cyberspace context enabled by idp’s, the concept we briefly touched upon earlier wherein there are wide scale adoptions and the user acquisition starts from the mobile devices to web accounts as native feature to seamlessly connect users to digital assets and stores and manages digital identities as a common digital identity store. The idp’s are much larger canvas than a typical enterprise identity authentication systems or specific web application, it federates multiple stakeholders, entities with digital assets via dynamic trusted relationships to facilitate digital transactions and reduce password fatigue of user and decrease the potential attack surface for the users.
Another key concept is in authentication is use of public and private keys, the public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage between participating entities. In such a system, any originator can encrypt a message using the intended receiver’s public key, but that encrypted message can only be decrypted with the receiver’s private key, only known to the receiver for decrypting the message. These are proven techniques in digital identity authentication domains and used by a public key infrastructure (PKI), in which one or more external parties known as CA’s ( Read, certificate authorities) certify ownership of key pairs for authenticity and implies that the PKI system (software, hardware, and management) is trust-able by all involved digital entities.
Authorization in digital security context dictates the user entitlements specifying access rights/privileges to resources depending on the role and the rules of interaction or well defined access policies for providing access to the digital entities and dictates framework of actions or transactions user can perform in the given set of services. The RBAC ( Read, Role based access control) for example is prevalent in multi user operating systems and users are given the resource or service privileges based on the roles that are tagged to the user. For effective functioning of authorization policy definition and enforcements are the key principles on which the authorization governance framework rests upon for the security of the digital assets and resources. In principle authorization process tailgates authentication as an outcome to the user and often falls between access control and user privileges metaphor. At times both authentication and authorization goes hand in hand as part of single transaction likes of session tokens to ensure successful and secure digital transactions for each and every digital entity involved in the given transaction / interaction.
We talked about OpenID for authentication enablement, whereas OAuth is considered as an authorization protocol, rather than an authentication protocol. Using OAuth on its own as an authentication method may be referred to as pseudo-authentication as OAuth generated access token acts as a kind of “valet key” that the applications can include with its API requests to the identity provider as a proof of user authorization to perform the intended transaction or access the specific digital assets or resources etc.
Authorization messages between trusted partners often use SAML ( Read, Security Assertion Markup Language) which achieves interoperability across different vendor platforms that provide authentication and authorization services and obeys an XML framework for exchanging security assertions among security authorities, making it easier for users.
Like SAML there are other operating on the open-standard identity protocol, which include OpenID, WS-Trust (Read, Web Services Trust) and OAuth (pronounced “Oh-Auth”), which lets a user’s account information be used by third-party services without exposing the password.
Technologies such as OpenID which propagates decentralized authentication protocols and allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service and does not rely on a central authority to authenticate a user’s identity, this ensures user is always in control of what s/he shares and minimizes the risk of password hacks in case central authority gets compromised. This trend is seen prevenient in the social media wherein users are more susceptible to online hacks and cybercrimes etc.
Developing further on the OAuth principles, IndieAuth is good example that rests upon the open standard decentralized authentication protocol that uses OAuth 2.0 underneath and enables services to verify the identity of a user represented by a URL as well as to obtain an access token that can be used to access resources under the control of the user.
Attributes – User/Device Management deals with user and device identity life cycle governance such as enrolment or registration / provisioning id user credentials, passwords, deprovisioning them as part of manageability of the identities associated with users and devices, typically ranges from creating user in to the system, grouping few users to allocate them privileges or assign It defines the set of administrative functions such as identity creation, propagation, and maintenance of user identity, profiles and privileges timely and accurately, enable self-service function like self-password reset etc and requires an integrated workflow capability to approve some user actions such as user account provisioning and de-provisioning.
On the devices front there are additional functions such as whitelisting the devices to seamlessly connect with digital entities and must be able to govern level of security protections (confidentiality, authentication, authorization) to be applied to unique data flows from sensors and other IoT components etc. Today mobile devices are used as one means of authentication step to access things surrounding us and interoperates with most of the digital assets, few of their native features act as powerful authentication factor and tightly integrated with other IoT devices. They drive different types of authentication mechanisms like facial recognition using the front-facing camera, voice recognition, gesture dynamics in addition to traditional biometrics such as fingerprints.
Managing these devices via MDM (Read, Mobile device management) tools is the key tenet of the end-user device management supporting the digital identity management framework. The IoT device authentication and confidentiality during Transport Layer Security (TLS) and other network protocol negotiations, as well as to support various other identity bindings while integrating with other access control mechanisms. It ensures that the PKI architecture supports standard services such as revocation checking ,trust management, enrolment and registration procedures, and do not compromise security of the devices and the digital assets they interact within the digital ecosystem.
The IoT / Smart device ecosystem is well supported by protocols natively supporting authorizations, for example..
- MQTT supports username and password and along with TLS binding can be a good choice for device authentications,
- CoAP on the other hand supports multiple authentication options for device-to-device communication and can pair with Datagram TLS (D-TLS) for higher level confidentiality services.
- XMPP supports a variety of authentication patterns via the Simple Authentication and Security Layer (SASL – RFC4422). Mechanisms include one-way anonymous as well as mutual authentication with encrypted passwords, certificates and other means implemented through the SASL abstraction layer.
- Data Distribution Standard (DDS) Security Specification provides endpoint authentication and key establishment to perform subsequent message data origin authentication (i.e., HMAC). Both digital certificates and various identity / authorization token types are seen supported in the DDS deployments natively.
- Bluetooth as we know, provides authentication services through two different device pairing options, Standard and Simple Pairing. One is automatic and the other required human intervention to verify. Both type of Bluetooth devices display the same hash of the established key and offer both one-way as well as mutual authentication options.
Finally, The Directory / Digital Identity Store is an electronic repository for storing information that uniquely describes individuals or machine entities and is the most vulnerable digital asset in the digital identity management ecosystem and acts as a digital Vault or Central Store for identity services and federation with other internal or external entities. A simple Active Directory from windows world accessible via LDAP is relatively good example for Directory / Identity Store to help relate with, of course there are much more sophisticated products that combine digital stores with digital vaults to securely store and archive digital assets, the list would go on..
In Summary.. Digital Identities protect digital assets and very purpose of digital identity management is to enable safe and secure transactions and avoid repudiation, an assertion refuting a claim or the refusal to acknowledge an action or transaction, thus identity management is critical and tightly coupled with access management for security, authenticity and lowering the risks of digital crimes.
With dramatic increase in cloud computing and emerging IoT landscape thousands of users are connecting to multiple devise, consuming multiple applications connecting from web, desktops and mobile devices exchanging sensitive information and personal data over internet via trusted digital identities within trusted framework of standards, tools and technologies with secure conformance to all digital transactions and thus remains the key enabler of digital transformation touching our digital lives, for sure!